CVE-2023-41061
Published: 07 September 2023
Summary
CVE-2023-41061 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apple Ipados. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 21.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A validation issue was addressed with improved logic in watchOS, iOS, and iPadOS. The flaw affects versions prior to watchOS 9.6.2, iOS 16.6.1, and iPadOS 16.6.1 and permits a maliciously crafted attachment to trigger arbitrary code execution. The issue carries a CVSS 3.1 base score of 7.8 with an attack vector that is local, requires low complexity and no privileges, but depends on user interaction with the attachment.
An attacker able to supply a crafted attachment can achieve code execution on the target device, resulting in full compromise of confidentiality, integrity, and availability. Because the vector is local and user-interaction dependent, exploitation typically involves delivering the attachment through messaging, email, or other channels that allow the victim to open or preview the file.
Apple security updates HT213905 and HT213907, along with the corresponding Full Disclosure postings, state that the vulnerability is resolved by installing watchOS 9.6.2, iOS 16.6.1, or iPadOS 16.6.1. The advisories further note that Apple is aware of reports indicating the issue may have been actively exploited in the wild. The associated EPSS values have remained low and essentially flat, with a current score of 0.0114 and a peak of 0.0115.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45582
Vulnerability details
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may…
more
have been actively exploited.
- CWE(s)
- KEV Date Added
- 11 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause (CWE-20 improper input validation) by enforcing validation of untrusted attachment data before processing.
Requires timely application of the vendor patches (iOS 16.6.1 / watchOS 9.6.2) that remediate the validation flaw.
Malicious-code protections can block or alert on the arbitrary code introduced by the crafted attachment.